Cloudflare

General

• Upgrade to Cloudflare PRO
• Use API tokens instead of e-mail/API key
• Host header validation on ALB

DNS

• Enable Proxy (orange cloud) when possible (publicly accesible records)

SSL/TLS

• SSL/TLS: FULL
• Enable "Always use HTTPS" option
• Enable HSTS
  • Max-age: 31536000 # 1 year
  • Preload: On
  • Subdomains: On
  • No-sniff: On
• Enable Opportunistic Encryption
• Enable Onion Routing
• Set minimum TLS version to 1.2
• Enable TLS 1.3

Speed

• Enable Auto Minify
• Enable Brotli compression
• Enable Enhanced HTTP/2 Prioritization
• Enable TCP Turbo
• Enable Mirage
• Enable Rocket Loader™
• Polish
  • Lossless: Remove only image metadata, no image quality lost
  • Lossy: Slightly reduction on image quality, almost unnoticeable
• Enable WebP

Page Rules

• Cache level: Bypass → Avoid cache on a specific domain

Network

• Enable HTTP/2

Using Cloudflare with an API

• Using Cloudflare with your API